TryHackMe | MD2PDF Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “MD2PDF” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Directory Enumeration
-HTML Injection
Subject
Hello Hacker!
TopTierConversions LTD is proud to announce its latest and greatest product launch: MD2PDF.
This easy-to-use utility converts markdown files to PDF and is totally secure! Right…?
Note: Please allow 3–5 minutes for the VM to boot up fully before attempting the challenge.
Deploy the Machine
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Solution
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -p- 10.10.175.100-p- : You can specify “-p-” to scan ports from 1 through 65535.
You can use various parameters to determine which services are running on the ports. This is entirely up to you.
When we access port 80 via the browser, we see a field where we can enter any input. I guess this website converts the input to pdf format.
And when we access the 5000 port through the browser, we see a similar structure but it doesn’t work…
We can use the gobuster tool to explore directories to learn more about port 80 and 5000. You can also use different tools for this process, such as dirbuster and dirb. Your choice…
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
gobuster dir -u http://10.10.175.100 -w <worlist>dir : Uses directory/file enumeration mode.
-u : We can use the option “-u” to specify the target domain or subdomain you want to dig into the hidden directories and files.
-w : Path to the wordlist.
gobuster dir -u http://10.10.175.100:5000 -w <worlist>
When we take a look at the results, we can see that the admin directory exists for both. However when we attempt to access it, we receive HTTP 403 Forbidden error.
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden.
When we examine the error, we realize that these pages are only accessible in internal.
We have received some errors up to this point, and be sure that we’ll reach the result thanks to these errors.
Now let’s go back and perform some basic tests inside the input field. I think we can start by typing “Hello World!”.
We currently have a pdf file. Maybe we can investigate this file using the “exiftool”. But first, we need to download the file.
ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata.
When we search the creator information, we see that this website converts HTML to PDF. Who knows, maybe there is an HTML Injection vulnerability.
Before we begin testing, let me explain what HTML Injection is.
HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page.
Let’s write some basic HTML code and see what happens as a result.
<h1>TryHackMe</h1>
<a href="https://tryhackme.com">Click here!</a>
Yes, it worked. So what can we do next?
Do you remember the first error we encountered? I have a feeling we’re thinking the same thing. Maybe we can access there through HTML. Let’s try!
<iframe src="http://localhost:5000"></iframe>An iFrame, also knowns as Inline Frame, is an element that loads another HTML element inside of a web page. They are commonly used to embed specific content like external ads, videos, tags, or other interactive elements into the page.
src : Specifies the address of the document to embed in the <iframe>.
Great! In this way, we can see what is inside.
So we can apply the same logic to the admin directory. Are you excited like me? Uhhh..
<iframe src="http://localhost:5000/admin"></iframe>
Unbelievable! My friend, we did it.
Congratulations, you found the flag! Before you leave, say goodbye to little Spider-Man.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://nmap.org/book/man-briefoptions.html
https://www.kali.org/tools/gobuster
https://en.wikipedia.org/wiki/HTTP_403
https://en.wikipedia.org/wiki/ExifTool
